Experts on Application Security & Developer Training

We asked 8 security experts to answer 4 questions on the state of application security and developer training.

Application security is a consistent concern for organisations. Applications are the most common attack vector, yet only 11% of security managers believe their company’s applications are secure. This lack of confidence is down to ad-hoc requirements, lack of a formal security process and a disjunction between executives and practitioners. For that reason, we asked 8 security experts to answer 4 questions on the state of application security and developer training:

What is the biggest challenge organisations currently face training software developers in application security?

How can organisations ensure that developers are well trained in application security?

In your experience, how effective is security training in changing developer behaviour?

What do you think is the biggest threat to application security organisations will face in the next five years?

This is what they had to say:

1) What is the biggest challenge organisations currently face training software developers in application security?

"There’s a few different problems organizations face. First, a lot of companies are outsourcing the development to third parties and those third parties are producing massive insecure code. There needs to be appropriate checks and balances within third party outsourced companies with appropriate testing of source code prior to any deployment within the organizations. Additionally, these organizations need to have stringent coding practices and companies should focus on language inside of SLA’s that these companies should be held to additional security standards.For companies that still develop in house, there’s often a learning curve that new developers have to overcome in order to code properly. Most have moved to agile development which allows quick and fast enhancements and changes however, there still needs to be standards and guidelines in agile, in order to ensure code is properly secured. An organization should have a dedicated application security group that focuses on doing continual reviews of critical applications and focusing on protecting those applications." - David Kennedy, Founder, Principal Security Consultant at TrustedSec. Follow him on Twitter: @HackingDave

"Frankly, I think it’s that they haven’t yet had an incident serious enough for the penny to drop that developer training is actually a worthwhile investment. The problem we continue to face is that whilst the investment in security is often a very tangible figure, the return and in particular the likelihood of it paying dividends is far more hypothetical. It often takes a breach for the ROI on developer training to be realised." - Troy Hunt, Software Architect and 4x Microsoft MVP. Follow him on Twitter: @troyhunt

"Security is a young field, and you can get arbitrarily good at other skills (performance, reliability, usability, flexibility) and remain completely ignorant of basic security requirements. This is something even the gurus need to know about -- the very people who are generally far too skilled to ever require training." - Dan Kaminsky, Chief Scientist at White Ops. Follow him on Twitter: @dakami

“One of the challenges is in the experience shared in the training. It is important to have something that bounds to the developer and most approaches only focus on pointing out some common mistakes, that individually sound simple. I believe having real cases and demonstrations on how the errors affect security, and the impacts on the project to correct the errors are a better way to go. Mapping the cost of fixing the cost of developing correctly at the beginning is also important.Another important point is to have someone that understands the developer. Most cases I see, a security guy goes in and start teaching the developers how to do their jobs. The security guy doesn't really understand the challenges the developers face (such as time pressures, project constraints) and thus, the developers see the training as one more burden into their development time.” - Rodrigo Branco, Vulnerability & Malware Researcher. Follow him on Twitter: @bsdaemon

“The biggest hurdle is prioritization and focus on security as an organization. Many developers are not incentivized to put security before speed and features, which can be a cultural challenge to overcome.” - Dave Shackleford, CEO at Voodoo Security. Follow him on Twitter: @daveshackleford

“While training is good, the biggest challenge is incorporating application security tools into the development process. The training should be in how to use the tools. The process would mandate the tools.” - Richard Stiennon, Executive Editor at securitycurrent. Follow him on Twitter: @stiennon

“Avoiding the development “sweatshop” approach. There is an expectation that developers should "learn on their own time." Most developers want to learn more. They want to learn new languages and new coding practices - including security. Getting the organizations to pay (and allow time) for learning secure coding practices is often the hardest part.” - Patrick C Miller, Critical Infrastructure Security and Compliance Advisor. Managing Partner at The Anfield Group. Follow him on Twitter: @PatrickCMiller

“The biggest challenge is that developers don't take the threat seriously. SQL (SQLi) injection and Cross Site Scripting (XSS) are by far the most common ways to successfully attack websites, yet developers still think these are only "theoretical" and wouldn't work in the real world.” - Robert David Graham, Owner of Errata Security. Follow him on Twitter: @ErrataRob

2) How can organisations ensure that developers are well trained in application security?

“Firstly, it should form part of the developer’s learning plan; formalise the training requirement in the same way that other aspects of professional and personal development are formalised. Secondly, get them involved and engaged in security. Frequently, security teams will throw risks they discover over the fence to developers then leave them to their own devices to interpret the risks, draw conclusions on the value of the findings then fix them accordingly. Finally, the training is only going to help if there’s a culture of security from the top down. It takes investment in both time and money to get developers app sec aware and that endorsement needs to come from the top.” - Troy Hunt, Software Architect and 4x Microsoft MVP. Follow him on Twitter: @troyhunt

“I believe one of the most interesting ways is; to teach developers how their software is exploited. Having an understanding on how the exploitation works helps them visualize the situations where their code is failing.The security guy is better in security and when he teaches exploitation, he is teaching security, not development. That way, I believe the developers pay more attention and they map the mistakes exploited back to how they develop.” - Rodrigo Branco, Vulnerability & Malware Researcher. Follow him on Twitter: @bsdaemon

“Aside from traditional training courses like those offered by SANS and other training firms, there are numerous books on the subject, as well as online tutorials. The key is to incentivize the development teams to continually learn new methods for securing their code. A weekly "Lunch and Learn" type effort can go a long way toward this.” - Dave Shackleford, CEO at Voodoo Security. Follow him on Twitter: @daveshackleford

“Mandatory yearly training as well as having ‘go to’ folks either in security or within the development team that helps with peer review. Code reuse and centralized sanitization functions should be used as well through the organization in order to ensure consistent standards around secure coding practices.” - David Kennedy, Founder, Principal Security Consultant at TrustedSec. Follow him on Twitter: @HackingDave

“Include adequate training time, security certification and other “practical” methods for improving secure coding knowledge into job description and job performance goals. This requires the employer to offer/allow/cover (cost) the training and the developer to complete the training. This approach reinforces the company’s [low] tolerance of software flaws (through direct financial/time appropriation) and improves the developer’s knowledge, confidence and security practice - while forming a relationship or bond around the subject between both parties.” - Patrick C Miller, Critical Infrastructure Security and Compliance Advisor. Managing Partner at The Anfield Group. Follow him on Twitter: @PatrickCMiller

“Organisations should deploy software security tools that are integrated with IDEs. Code should be scanned as it is submitted and any security issues immediately highlighted. “ - Richard Stiennon, Executive Editor at securitycurrent. Follow him on Twitter: @stiennon

“Pen tests are useful for at least demonstrating the existence of a problem. It's hard to get a buy in when people think security is other people's problem.“ - Dan Kaminsky, Chief Scientist at White Ops. Follow him on Twitter: @dakami

“Do code reviews. If programmers are doing the wrong thing, such as pasting together SQL queries rather than using parameterized queries, then obviously the training hasn't worked.” - Robert David Graham, Owner of Errata Security. Follow him on Twitter: @ErrataRob

3) In your experience, how effective is security training in changing developer behaviour?

“It really depends on the training itself. A lot of training is boring for developers – having a training session that can relate to the developers really helps. What I love to do is teach the developers how to hack then from there show them how to secure their code. This often has a resonating affect because developers don’t often get to see how their code is actually exploited and how to best defend against it. In these type of scenarios we see a high success rate in what developers learn and how they shift their coding standards to something more secure.“ - David Kennedy, Founder, Principal Security Consultant at TrustedSec. Follow him on Twitter: @HackingDave

“Depends on the training! Everyone learns in different ways, but in my experience, the training has to be very hands on and very practical. I always give people the tools and the knowledge to exploit the risks themselves. I favour the “Hack Yourself First” approach Jeremiah Grossman championed some years ago and have subsequently created training for developers that does just that – here is a vulnerability, here is how to exploit now here’s the defensive coding practice and here’s why it works. Developers tend to gravitate towards challenging puzzles so I always make sure they’ve got something to sink their teeth into and get really involved with.” - Troy Hunt, Software Architect and 4x Microsoft MVP. Follow him on Twitter: @troyhunt

“Training developers is much more effective than typical security awareness training for end users. Developers immediately grasp the implications of secure coding practices.” - Richard Stiennon, Executive Editor at securitycurrent. Follow him on Twitter:@stiennon

“Without broad organizational support, not very effective. Training can teach the techniques, but allowing for additional code review and QA time, as well as more thorough and secure development in the first place, must be encouraged from business unit and IT management.” - Dave Shackleford, CEO at Voodoo Security. Follow him on Twitter: @daveshackleford

“Knowledge is power. Developers would all like to get more from less code. Security is often an addition and can get very complex very quickly. This reduces confidence and desire to include the additional security coding effort. Training in secure coding practices is probably the most effective way to reverse this problem.” - Patrick C Miller, Critical Infrastructure Security and Compliance Advisor. Managing Partner at The Anfield Group. Follow him on Twitter: @PatrickCMiller

“In the situations where I used the exploitation approach I got a way better result. One difficulty that I see in the organizations though is how to measure the success of such trainings. Probably a good idea to use hackathons and/or peer-review after the trainings to see the quality of the newly generated code.” - Rodrigo Branco, Vulnerability & Malware Researcher. Follow him on Twitter: @bsdaemon

“ It depends. If there's been an actual breach, extremely effective. If the breach is only simulated, it really depends on the trust between management and engineering. This is a new engineering requirement, and some people have trouble adapting to that. Code that fails security testing needs to cause reasonable pain – such as a slipped ship date. One very important thing is to try to reduce the latency between bad code being written, and the problems being detected. Zane Lackey's Attack Driven Defense slides talk a lot about this.” - Dan Kaminsky, Chief Scientist at White Ops. Follow him on Twitter: @dakami

4) What do you think is the biggest threat to application security organisations will face in the next five years?

“I think the biggest new threat is coming via web based APIs and there are a few reasons for this. Firstly, they’re being rolled out at a staggering rate and that’s being driven by connected devices and increasingly “The Internet of Things”. Objects that we’d never previously imaged would be connected are now talking over HTTP endpoints and there’s a huge rush to get these things to market. Secondly, they’re exposing increasingly sensitive data and services to the outside world. Having your credentials compromised due to an insecure API is one thing, having your medical history exposed or your front door unlocked is quite another. Finally, by their very nature, web based APIs are more obfuscated than other web resources we’d typically load in the browser. There’s a thin veneer of rich client app (or hardware device) that sits in front of the service and puts it just that little bit further out of view that it doesn’t get the same scrutiny as, say, a web page yet clearly remains easily discoverable and can pose serious risks.” - Troy Hunt, Software Architect and 4x Microsoft MVP. Follow him on twitter: @troyhunt

“As applications get more secure, the attack surface will shift toward the lesser secured areas. Most internet-facing applications are getting much better. Mobile applications are one of the biggest targets today, but they too are getting better. The [industrial] internet of things will likely be the most probable target of the future. With more devices becoming digital, and more of them being connected, the number of developers to code for this new environment will increase and in the rush to market, they will likely make a business decision to get products to market as quickly and cheaply as possible. Historically, in markets with these pressures, security is left behind.” - Patrick C Miller, Critical Infrastructure Security and Compliance Advisor. Managing Partner at The Anfield Group. Follow him on Twitter: @PatrickCMiller

“Web applications will continue to be the main front of attack for organizations. That and social-engineering. These are the two most attacked surfaces right now on the Internet. As applications become more and more complex to meet the demands of technology and growing businesses, this also introduces the potential for major exposures to be introduced. We have to focus on coming up with a centralized and manageable way to introduce changes in a secure fashion in order to protect our businesses from these types of attacks.” - David Kennedy, Founder, Principal Security Consultant at TrustedSec. Follow him on Twitter: @HackingDave

“Budgets are actually going to get tight when the bubble bursts. It's going to be hard to keep a security culture alive when every penny counts. “ - Dan Kaminsky, Chief Scientist at White Ops. Follow him on Twitter: @dakami

“The exposure of old systems to new environments. More and more legacy systems are been connected to modern technologies and exposed to the internet through different ways. This creates new interactions that the legacy systems were not made to have.” - Rodrigo Branco, Vulnerability & Malware Researcher. Follow him on Twitter: @bsdaemon

“I think the next 5 years will have the same threats as the last 15 years.” - Robert David Graham, Owner of Errata Security. Follow him on Twitter: @ErrataRob

“Attacks on code repositories are rising. App development organisations will be increasingly targeted over the next five years.” - Richard Stiennon, Executive Editor at securitycurrent. Follow him on Twitter:@stiennon

“I'd say the biggest challenges are poor authentication practices and lack of proper input validation and sanitization. “ - Dave Shackleford, CEO at Voodoo Security. Follow him on Twitter: @daveshacklefordAdequately protecting applications is, and will continue to be a pressure point for most organisations. In order to alleviate the problem application security poses, organisations will have to make security a priority and implement regular, engaging developer training.Do you agree with the views of these experts? Share your thoughts in the comments below.